This means losing the master password is dangerous, so some people still choose to allow a host-side override where the business has some access, in order to enable account recovery in the case of a lost password.
I was _really_ disappointed when 1password dropped support for Dropbox sync and pushed everyone onto their storage. I'm uncomfortable, like you, with the truly single point of failure this way: I would much rather diffuse the storage and master credentials to separate parties.
But if you're doing what most people do instead of a password manager, which is just re-use two or three passwords for everything, then you don't just have a single point of failure. You have dozens of points of failure. You're not letting "a business" know all your passwords, you're letting many businesses know your password, singular.
Also, password managers don't only come from "businesses". I use pass[0], which just gpg encrypts passwords in a git repo. If you're willing to set up sshd, git, and gpg on your devices, you can use pass.
That said I still recommend that people coming from the "old way" use something like 1Password or LastPass if self-hosted is not for them. I share your distaste for giving the keys to the kingdom to a single business, but it's better than the alternative. I trust LastPass more than I trust the weakest member among a random set of other businesses.
You don't. Password managers like Bitwarden are basically cloud storage for an encrypted blob that happens to contain your passwords wrapped up with a nice UI/UX and handle all the syncing for you between your devices. They don't "know" your passwords. They sync that blob and then all encryption and decryption is done on your device.
Not to mention with Bitwarden you can run your own server if you are comfortable doing so and don't want to rely on their servers.
> making it my single point of failure
So maintain backups of your encrypted vault. Also Bitwarden (which is what I use) doesn't require an internet connection to unlock your vault so even if you're stuck somewhere with no net access you can still access all your data. Export it, etc. It is 100% offline for use, internet connection is only needed to sync the encrypted blob.
---
IMHO the benefits of a good password manager with nicely integrated password management, history, generation, MFA, etc. far outweigh the drawbacks of your account being hacked.
I have over 300 logins in my password manager.
I only have to remember a few actually important passwords in my brain which makes life exponentially easier when logging in to so many different services each day.
To solve this, you can drop either one of the "memorability" or "uniqueness" requirements. Most people naturally drop "uniquness" and reuse the same passwords everywhere. Or you can use a password manager and drop the "memorability" requirement. It's safer and more usable to do the latter. Even writing it down in a physical notebook is an improvement over reusing the same password.
This is my concern as well. The whole idea of my passwords being in a black box that is tied to my hardware seems like a recipe for disaster if I am traveling and my hardware gets stolen, lost or destroyed.
(maybe there is something that I am failing to understand, but I've watched several videos that attempt to explain how a PW manager works and I've not found an answer)
- the master key derives from 1. your password, and 2. a long, random key that you type manually on each new device (so you can’t brute-force the password just from the server’s data, and you can’t decrypt the data just from your hard drive without the master password),
- none of these keys ever leave your devices (encryption and decryption happen client-side),
- the key is deleted from RAM, locking the vault, if you’re inactive for too long.
That makes some attacks hard. It will be defeated if malware can get 1. your secret key and 2. your master password. But in that case, your login cookies and what you type in login forms are vulnerable too, so there isn’t much difference.
That said, the model is generally broken and LastPass is near the bottom of the heap.
If you or they are not technically inclined, write them down on a piece of paper, stored safely.
If you are, encrypt a file or volume on your computer and use that.
I've done and advised this forever and each little story like this leaves me convinced that these ways, while not perfect, definitely beat all the others.
They previously had a cli for Linux. It was designed to provide everything you'd need to build a nice ui but since it was a little low-level it didn't have great ux.
I wasn’t a huge fan of their move to a hosted model but I went with it and even so, I have to say that their service is good, reliable and instilling of confidence.
If I was starting from scratch I’d probably look more closely at Bitwarden (likely to use their hosted service but knowing I have the option later to self-host).
I would suggest that most people would likely be served well by either of these solutions at this point in time.
There's a free reimplementation of its server which also seems to be highly recommended:
BitWarden:
* Open-Source
* Affordable pricing
* Good, working browser extensions and desktop app
I've not had a single issue with it since, it's fully compatible with the official bitwarden app (which works rather well), and is much easier to use when other people in your household also need to manage their passwords.
Point of note : the android app syncs the database locally, and can be accessed/used/exported even offline, which is very, very reassuring in case of server/network failure
It's also recommended by Troy Hunt, who has a reputation at stake in all of this, since he runs stuff like https://haveibeenpwned.com
There’s no looking back. LastPass was buggy and the UI ugly. That was fine when it was free but when they went to fee based for cross platform support we switched the whole family over to LastPass. Everything works, is pleasant to use, and no slimy tactics.
Importing from LastPass was easy.
1. Their auditing ("Event Logs") feature is unusable. It refers to items by some magical identifier which does not correspond to the name in the vault, e.g. "Viewed password for item ebabefac".
2. Payments by anything other than Credit Card are a mess, which is a serious pain if you have a lot of users. It took us weeks and many support interactions to get something as trivial as a bank transfer sorted.
3. It's still (!) lacking a feature to actually send people passwords ... as in sysadmin creates some account for a user, presses a magical button in BW, and it ends up in the user's vault (or maybe they get a message and are asked to import it, whatever). BW recommends you use the "Send" feature, which is basically a glorified pastebin.
4. The UX is .... not great. Organization vs Personal Collection view is confusing. Every time we onboard a new user we get questions about how they should store personal passwords.
It works well enough, but I don't think the enterprise plan is worth the 60/user/year price tag.
Names and all other identifiers can be changed freely, so Bitwarden refers to passwords by their unchangeable UUID, so you can keep track of an entry across any such changes.
What bitwarden lacks is an easy way to search for passwords by UUID, but that's a rather minor UX improvement.
> It's still (!) lacking a feature to actually send people passwords ...
Yeah, that surprised me as well. Back in 2014 or so we added magic password://uuid links to our internal password management tool, you can just send people the link, and when they clicked it, it opened that particular password, as long as they had access. I would've expected the competition to have picked up on it ages ago, but c'est la vie.
For exchanging passwords with external users, Send is reasonable enough IMO.
> The UX is .... not great.
Agreed. But given that everything else is solid and open source, I'll take it over any competitors, or continuing maintenance of our own tool, which quickly gets a whole lot more expensive...
It may have better auditing (though I confess I just pay for hosted so I can't say for sure).
It’s… fine, but many areas of integration with browser and on iOS are significantly less polished and pleasant to use. Things like credit cards are entirely manual on iOS. It’s definitely a worse experience on the convenience side.
That, and even though it’s relatively easy to migrate, it’s even easier to not spend the effort reworking your workflows and ways you use password tools.
Yeah, this. I've been using LastPass since 2012 - four years before BitWarden even existed. BitWarden actually looks excellent and I'm tempted to switch, but the easiest thing is just to not do anything.
But everyone that I know that uses it, hosts their own anyway (I don't agree with Moxie's thing of "people don't want to host their own servers and never will - clearly not true for some people). But that was beside the point anyway, open server design means you can choose who runs your server for you.
It seems like LastPass is angling to become the AOL of password managers, and by that I mean they want a bunch of old customers who never bother to switch to something better.
If I had to recommend a pw manager to someone I'd probably suggest they just save them in-browser, and use the same browser (Chrome/FF/Edge) across all their devices. Chrome has a pretty good password suggestion feature. Other browsers are probably not far behind.
To be honest though I'm still not 100% moved over, and may never be. I doubt I'll need to transfer the login to the public library from a town I lived in 10 years ago.
This has security implications and what cautioned me against it.
Other password managers don't do this and look at iframe domains before filling them in.
Am I missing something?
Here [1] is an example of migrating passwords from LastPass to KeePassXC. Does anyone have more examples like this for other pw managers?
[1] - https://blog.paranoidpenguin.net/2018/12/migrating-from-last...
I have no reason to believe BitWarden would try to hold my passwords hostage. But I prefer the solution where they can't.
You get full control over how to handle multi-device synchronization because it doesn't attempt to do this at all...
Now, the question is “why would I trust this?” to which I answer: I trust them to safeguard my passwords.
You get the benefits of people making money off this service and thus keeping up to date clients and plugins. If it becomes bad you dump your data and go somewhere else.
They also store regular copies of your vault in a backup folder. If Satan buys them and they try to lock you out, just decrypt your backups and move somewhere else.
Sign in to LastPass web -> Advanced Options -> Export -> Verify export by email -> Advanced Options -> Export (again) -> List of passwords in CSV format.
I guess Bitwarden secured itself a test-run.
edit: for clarity, the downloaded csv was defective, the csv shown seems complete. This is a problem
Apple is not (always) a good actor; they've been caught intentionally degrading the performance of older hardware, in order to increase sales of new hardware. But, they seem very keen on maintaining the privacy and safety of their users, which is true of essentially no other tech company on the planet.
I'm still not all-in on the Apple ecosystem, but stuff like this always makes me pause.
I feel more comfortable when a company is trying to earn my money by delivering a good product with good service. Of course that doesn't always work out, but I feel it's a better shot.
https://support.apple.com/guide/icloud-windows/set-up-icloud...
> Having no formal support channel
When I last had to deal with their so-called support, all contact details were very efficiently hidden. Once you found a page with a phone number, and the hours you could call them, there was one final surprise:
"The phone number you are trying to reach is not in use". The only contact that works reliably at LastPass is their billing department. Make of that what you will.
It tells you that it is a credit monitoring service when you call, but it is indeed the password manager service....
800-830-6680 and then press 3 (the other 2 options disconnect you)
That actually sounds like it might be a business model (at least in places where the proletariat don't get too uppity). You run a password manager service and calculate data on people's password strengths and the number of duplicated password they use, and then feed this data to some sort of credit check system.
I think I eventually figured out some methodology of opening some graphical element in a new frame or something that got it working partially but that was what made me cancel everything and switch to BitWarden. Ridiculous.
Lastpass Enterprise has issues, but it does allow the above.
However for those who are so inclined I can see the value.
Could you elaborate on this?
I'm not an enterprise user, however, as a happy commercial Bitwarden user, I was annoyed that the company I worked for moved to LastPass relatively recently. I'd love to know what may have made them choose LP over Bitwarden.
Inertia. Lastpass still works, and frankly it's not high on my list of priorities to research and switch to a new password manager. Some people have time to obsess over this stuff, I don't anymore.
And frankly, data export barriers wouldn't be a difficulty for me (I wouldn't mind re-keying stuff if that's what it took, and that's what I did to get my passwords into LastPass). Deciding on a direction is way more work, and that's the real barrier.
Also, it's kind of pointless. The alternatives will almost certainty be some open source thing with major UX friction and personal maintenance burden, or some for-profit service that will eventually be corrupted in exactly the same way as LastPass has.
Because I've managed to miss any news damning enough to make me decide to switch.
It's possible that either:
a) I've overlooked something
b) You and I have different priorities
c) You're being hyperbolic.
I genuinely don't know which but your phrasing and tone makes me lean towards (c)
The internet is full of people shouting "God. [Company] is the worst!" - if you want to be persuasive then it's probably better to not sound like them.
Let me give you this own site's experiences with the company.
https://www.google.com/search?q=lastpass+site:news.ycombinat...
Both easily generate long random passwords, etc.
For me this is a solved problem (until Firefox's service is hacked, of course) to the point that my real pain point is remembering the random strings I use for "security question" answers. For that I use a KeepPass database. But I wish FF/Safari would see the need and add security questions fields to their management.
No way am I giving real information for those. Why yes my mother's maiden name is cd559b1085b94b2dad32bb9e458e2422 so sorry to hear it was leaked, SONY.
https://en.wikipedia.org/wiki/2011_PlayStation_Network_outag...
1. avoid vendor lockin (if I want to switch browsers I can, or switch from iOS to Android) 2. enable portability, with passwords not just being available locally requiring manual migration to other devices
Do you have problems/qualms with the above just using browser password managers?
on android, firefox can autofill passwords in any app
I honestly have no idea how the GDPR got implemented. A true policy that actually benefits the citizens of Europe, in a world where most policies are to screw over everyone but the rich.
Is this reasonable, or trying to whip up resentment based on speculation? It partly feels questionable because the author is a US resident, and the company is a US company - of course that’s no reason not to discuss/comply with GDPR - but paired with the lack of specifics and the explicit speculation with words like “appears” and “likely knowingly” that have no accompanying proof, it feels like more hit piece than valid legal concerns.
There may be real, valid, and large reasons to have resentments here, I have no opinion on that. But LastPass doesn’t necessarily “have” everyone’s passwords, because many are encrypted and LastPass can’t decrypt them.
Does article 20 really apply to data encrypted such that the company has no access? That seems unlikely. Article 20 might require that LastPass export someone’s user profile and credit card information, but it was not designed as way for people to demand UI features they want or force companies to offer service for free, right?
>- Only making the export function available via the desktop browser plugin, despite locking peoples accounts to either Desktop or Mobile after 3 switches between these platforms.
I have exported all my accounts via the web interface, and the three times I've done that it export a truncated CSV file with about 30 lines, while printing the whole file content in the web page you access. That means the CSV you downloaded probably is not complete and you have to copy some lines from the web.
I was lucky to investigate a weird warning, about some missing fields in the last row, that SQLite gave me after importing all the accounts to a database.
I have read some others on HN describe stories where it didn't go so well. Private Notes not exported (I saw this on HN before I cancelled, but mine all came over), incomplete exports (I got everything), etc.
But yeah... do be careful and give yourself a grace period.
Same gross tactics and lock in. IIRC LogMeIn refused to let me delete my credit card details or cancel my plan and their “support contact” was completely unresponsive.
Can’t remember if I just used fake card details or blocked the transaction by locking/cancelling the credit card but it was a real nightmare.
After they were acquired, LogMeIn was quite happy to charge my credit card for the premium service, for several years running. Never did get a refund.
I have another related issue: it is not possible to export your TOTP seeds from lastpass authenticator.
I contacted the lastpass/logmein dpo, which (in my case at least) got forwarded to their generic support-by-email. They were slow to respond, and eventually claimed they could not export my one time passwords because they are encrypted. This is obviously false, they can decrypt the data just fine (I actually switched to a new phone, authenticator data got synced as you would expect). And other apps such as Google Authenticator allow you to export your data.
I filed a gdpr complaint with my national Data Protection Authority, which after a long response time got accepted, and is now forwarded to the Irish DPA.
If you want to assert your rights, contact Lastpass/Logmein at privacy@logmein.com or via their support page [0] (from their privacy page [1]), and demand access to your data. If they refuse, or do not respond within 30 days, file a complaint with your DPA [2], with proof that you requested your data but got denied.
[0] https://support.logmeininc.com/contactus
[1] https://www.logmein.com/nl/legal/privacy/international#right...
The contact page for the California Privacy Protection Agency: https://cppa.ca.gov/about_us/contact.html
The contact info for the national data protection authorities in the EU, Iceland, Liechtenstein, and Norway is linked at [2] in the comment above.
Though it would be foolish to trust such an extension, given the existence of practices like extension hijacking. I'm sure someone could make a lot of money with a "secretly export LastPass passwords to attacker" extension.
[1] https://www.ghacks.net/2019/12/18/logmein-lastpass-to-be-acq...
[2] https://www.theverge.com/2021/12/14/22833319/lastpass-indepe...
I can only personally recommend Bitwarden instead - it's open source and can never decrypt your passwords on prem. Browser plugin, mobile app, enterprise versions, etc. It has it all, and hasn't been a cunt to it's users from day 1.
Also, unlike LastPass, they haven't been hacked multiple times. I can not comprehend why anyone trusts them with their passwords - the company I work for included I'm afraid.
As some have said the web export gave a truncated set. However the chrome browser plugin export function worked just fine and gave me a full export from two separate accounts.
This included one account that was seemingly locked in the web browser because I had cancelled my subscription and was locked into a re-subscribe page with no other options to proceed that I could figure out.
Just painlessly (finally) deduplicated my pwds in excel and imported to a bitwarden family plan. It's been so painless. The features I'm seeing make me fairly certain I'll be paying for a family org plan.
Lies, on Reddit? Shocked pikachu face.
The only problem I have is that my iPhone 7 doesn't always detect my USB-C UbiKey NFC, but I think that's a UbiKey or iPhone problem.
Got mine exported during the recent scare without too much pain.
But yeah - going to move away from Lastpass. Everything about them seems to be going sour fast
I just got a strong incentive to check out the competition.
... problem solved
